On Fri, Nov 27, 2015 at 06:16:51PM +0100, Morgan Marodin wrote: > Yes: > ------ > # ls -l /var/lib/sss/pubconf/krb5.include.d/ > total 8 > -rw-r--r-- 1 root root 208 Nov 27 17:37 domain_realm_ipa_mydomain_com > -rw-r--r-- 1 root root 118 Nov 27 17:37 localauth_plugin > > So what could I try to do?
'getent passwd' should return the same entry for the user name you use at the login prompt and the Kerberos principal (its the name shown by klist in the 'Default principal:' line) e.g.: # getent passwd [email protected] [email protected]:*:1367201104:1367201104:t u:/home/ad.devel/tu1:/bin/sh # getent passwd [email protected] [email protected]:*:1367201104:1367201104:t u:/home/ad.devel/tu1:/bin/sh >From the logs I guess you used the name '[email protected]' at the login prompt. I assume you use ssh for the Kerberos/GSSAPI login. Please check on the client with klist if you got a service ticket for your linux client principal which should look like host/[email protected]. On Windows there is klist for the cmd shell as well. Additionally if there is a service ticket for the linux host sshd debug logs from the linux host would be useful. For this please set LogLevel to DEBUG3 in /etc/ssh/sshd_config (please note that the log might contain confidential keys or passwords). bye, Sumit > Thanks, Morgan > > 2015-11-27 17:47 GMT+01:00 Sumit Bose <[email protected]>: > > > On Fri, Nov 27, 2015 at 05:35:42PM +0100, Morgan Marodin wrote: > > > Hi Sumit. > > > > > > I don't know why, but now kerberos ticket authentication is working on > > 6.7 > > > clients. > > > On 7.2 clients now password authetications with Active Directory > > > credentials is working ... but not with kerberos ticket. > > > > This is most likely due to some issues while mapping the Kerberos > > principal to the local user name. > > > > Do you have a 'includedir /var/lib/sss/pubconf/krb5.include.d/' line at > > the beginning of you krb5.conf file? Does > > /var/lib/sss/pubconf/krb5.include.d/localauth_plugin exists? > > > > bye, > > Sumit > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
